Monthly Security Bulletin Webcast Q&A – August, 2008

Register now for the September 2008 Security Bulletin Webcast

Security Bulletin Webcast Q&A Index 

Hosts:                         Christopher Budd, Security Response Communications Lead

                                      Adrian Stone, Lead Security Program Manager (MSRC)

Website:             TechNet/security

Chat Topic:         August 2008 Security Bulletin
Date:                           Wednesday, August 13, 2008


Q: Have you had any reports of exploitation of the recent DNS vulnerability, since Dan Kaminsky released details at Defcon last week?

A: No, we have not had any reports of an increase in active exploit since the Black Hat/Defcon talk by Dan.


Q: MS08-048: Is this vulnerability exploitable if Outlook Express is not already configured (such as when using Outlook 2002 or 2003 for reading e-mail)?

A: Yes, the vulnerability exists whether Outlook Express is configured or not.


Q: Are you aware that Security Focus has published a vulnerability disclosure, “Microsoft Windows ‘NSlookup.exe’ Unspecified Remote Code Execution Vulnerability?

A: We are aware and are currently investigating it.


Q: When can we expect a patch for the standalone Access Snapshot Viewer?

A: We are currently working on this and expect to have the patch available very soon.  The bulletin will be updated once the update is ready.


Q: Any feedback on the IPSec update affecting SBS2003 server such as last month’s issues?

A: The current IPSec Bulletin (MS08-047) should have no effect on Microsoft Small Business Server 2003 as Windows Server 2003 is not an affected product.


Q: What is the status of the release of the new Windows Update Agent 7.2.6001.784? The Microsoft Update Blog is not updated, and it is not listed in KB894199 ‘Description of Software Update Services and Windows Server Update Services changes in content for 2008 rev 145.0 2008-08-12’?

A: This is the version of the Windows Update Agent that is currently being rolled out with the new version of the Microsoft Update (MU) Service.  We already have several million users rolled out.  We expect to have the full Windows Update/Microsoft Update user base completed by mid-to-late October.  The new version for WSUS is also being rolled-out as we roll the Windows Server Update Services (WSUS) servers to the upgraded Windows Update/Microsoft Update Service.  This is all transparent to the end-user.


Q: In Ms08-047, is the IPSec traffic being referred to, the traffic between the Vista client and Server 2008?

A: In this instance, all IPSec traffic is affected – even to down-level platforms.  However, to hit this issue, IPSec policies need to be updated on a Windows Vista or Windows Server 2008 platform from a Windows 2003 domain.


Q: MS08-050: Can this vulnerability be exploited via the ActiveX control in Internet Explorer (IE) if Windows Messenger traffic is blocked by a firewall?

A: The ActiveX control that causes this vulnerability can be hit via IE even if Windows Messenger is blocked.  However, the impersonation through Messenger cannot occur if Messenger is completely blocked at the perimeter.

Q: Does MS08-050 show up in WSUS as a Windows XP update?  I don’t see Windows Messenger as one of the valid products to select for downloading?

A: Yes – this update should appear on WSUS for Messenger 4.7 on Windows XP as a Security Update for Windows XP (KB946648) and Security Update for Windows XP x64 Edition (KB946648)


Q: Will running Microsoft Baseline Security Analyzer with the option to ‘Configure computers for Microsoft Update and scanning prerequisites’ install the newest Windows Update Agent ver. 7.2.6001.784?

A: Only if they happen to be in the same “site” that has been rolled over.


Q: Is MS08-050 (Messenger) applicable to version 5.1?  It looks like the update only updates 4.7?

A: Per the bulletin at, version 5.1 is called out as affected with links to the 5.1 updates.


Q: Is MS08-044 un-installable except for Office 2000 or for Office 2007? The presenter said 2007, please clarify.

A: The Office Filters Bulletin, MS08-044, does not actually apply to Office 2007. The mention of Office 2007 in the presentation was erroneous. We apologize for the confusion.


Q: Why is the Cumulative Security Update of ActiveX Kill bits being distributed as a rollup and not a security patch? I know the advisory says there are no MS products involved, but it seems to me that since you have issued these as MS08-032 and MS08-023 previously – you would just continue to use that process.

A: This release only includes kill bits for 3rd Party controls. Microsoft does not provide a security rating for these controls. Since there is no severity associated with this release, we decided to release this update via an advisory.


Q: How is MS08-041 different from the ActiveX Bulletin from last month?

A: MS08-041 is addressing an issue in the ActiveX Control for the Snapshot Viewer for Microsoft Access. MS08-041 includes a binary change to snapview.ocx.  The killbit advisory only sets the kill bits for the 3rd party controls mentioned in the advisory.


Q: In MS08-041 (ActiveX Control for Snapshot Viewer), the Executive Summary says the vulnerability is privately reported. But in the FAQ, it says the exploit has been published and is being exploited. What is the correct status, please?

A: This vulnerability has been publicly disclosed and has been commonly referred to as “Microsoft Office Snapshot Viewer ActiveX Control Race Condition” and assigned the Common Vulnerability and Exposure number CVE-2008-2463 . When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.